Currently, the eapol code seems to support specifying a single CA certificate and client certificate: https://github.com/vyos/vyos-1x/blob/122c7a53575f67759f157e02eca776f799658dc1/src/conf_mode/interfaces-ethernet.py#L170-L171
However, with some ISPs (eg. AT&T Fiber), there are multiple certificates in the server chain of trust (eg. intermediate + root CA) and the client cert might also have its own separate chain of trust as well. wpa_supplicant supports specifying these additional CA's by appending them to the end of the ca_file (server) and client_cert (client) PEM files. It would be nice if this could be configured via the VyOS configuration system. Without this, the EAP-TLS handshake is unable to complete successfully.
(Edited on 2022-02-17 to mention client chain of trust)